On 16 April 2020, Foxit Software announced security updates for its two products, namely Foxit Reader and PhantomPDF. Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files with users up to 500 million, a popular alternative to Adobe Reader. Meanwhile, Foxit PhantomPDF enables users to convert different file formats to PDF.
The vulnerabilities in both products allow attackers to execute arbitrary code remotely. To successfully execute the attack, attackers must rely on user interaction, where the target opens a malicious PDF file. However, both products have different security flaws. For Foxit Reader, the specific flaws exist within “the processing of XFA templates” (CVE-2020-10899), “the processing of AcroForms” (CVE-2020-10900), “resetForm method” (CVE-2020-10906), and “handling of widgets in XFA forms” (CVE-2020-10907), whereas the flaws in Foxit PhantomPDF lies in the handling of the “ConvertToPDF” (CVE-2020-10890) and “CombineFiles” (CVE-2020-10892) command, which allows an arbitrary file write with attacker-controlled data. Not only that, but another flaw also exists within the handling of the “SetFieldValue” command of the communication API (CVE-2020-10912).
The security flaws in Foxit Reader and Foxit PhantomPDF exist due to the lack of validating the existence of an object before performing operations on the object and the lack of proper validation of user-supplied data, which can result in a type confusion condition, respectively. These loopholes will be leveraged by attackers to execute code in the context of the current process.
Foxit Software also releases a security patch for the beta version of the U3DBrowser Plugin (9.7.1.29511 and earlier), a Foxit Reader and PhantomPDF plugin that allows viewing embedded 3D annotations in PDF files. The plugin flaw happens because of the handling of U3D objects in PDF files. Vulnerabilities include CVE-2020-10896, CVE-2020-10893, CVE-2020-10895, CVE-2020-10902, CVE-2020-10904, and CVE-2020-10898. All the vulnerabilities explained above can be solved by updating to the latest versions of Foxit Reader, Foxit Phantom PDF, and plugins, namely 3D Plugin Beta 9.7.2.29539
As one of the IT security experts in Indonesia, Defender Nusa Semesta (DNS) is committed to alerting you about the latest cyber trends and threats. Through articles like this, we hope that you can stay vigilant about the security of software and solutions that you are using, especially Foxit Software users.
